Converged SASE Backbone – How Leading SASE Provider, Cato Networks, Reduced Jitter/Latency and Packet Loss by a Factor of 13!
Global connectivity is top of mind for many IT teams at organizations of all sizes. We are currently in the middle of a dramatic shift in business and technology practice, as users are becoming more mobile while applications are being transitioned to the cloud. This shift will only accelerate as companies will look to leverage the speed and agility of cloud services with the operational, cost and quality advantages of a geographically distributed work force. While Covid-19 has contributed to the acceleration of this shift, the change was always inevitable once technology was ready. Legacy connectivity and security products have long been a barrier to progress.
- SASE is the Answer
- A Converged Private Backbone is Essential
- The Proof is in the Packets – Testing a Converged SASE Solution
SASE is the Answer
With uncanny timing, Gartner introduce the Secure Access Service Edge or SASE near the end of 2019, just before the Covid-19 virus started to gain global traction. SASE represents the shift away from castle & moat security with resources siloed into just a few corporate datacenters. After all, if organizations are consuming collaboration and productivity tools from the cloud, why not security and connectivity too?
While there is much buzz around SASE with security and networking vendors, and some debate over what products and services fit the SASE moniker, the intention is simple: leveraging economies of scale, organizations should purchase SASE as a cloud delivered service with global presence that brings security closer to the user. The user can be remote, mobile or in a corporate owned facility, regardless of physical location, the user’s access and security posture should remain consistent.
Figure 1: Cato PoP Map (click to enlarge)
At Cato Networks we built the first SASE solution, starting way back in 2015. We’ve grown to 70+ Point-of-Presence (PoPs) globally that fully converge networking and security into a single platform. With our experience we believe that a global private backbone is an essential component of a true SASE solution. If we consider that the goal is consistent access and security with reduced cost and complexity, we must recognize that the ability of a user to access resources applies not just to access controls and services, but also to the usability and reliability of that user’s access. Essentially –users must have predictable performance to be productive.
A Converged Private Backbone is Essential
Reliability and predictability of connectivity isn’t a new concept or focus area for technical teams. Organizations have been using MPLS and other methods to achieve this for years. But MPLS is expensive, resulting in reliable, low bandwidth links to just a few places. Don’t forget that this approach completely neglected remote users who traditionally have had to VPN across the public Internet to reach datacenter security and resources.
Fast forwarding to today, most SASE vendors position their services as a way to reduce or eliminateMPLS, but completely ignore the unpredictability of the public Internet. Cato’s service was architected with this in mind, and we connected our PoPs with a global private backbone of multiple tier 1 providers. Our customer’s packets aren’t taking the cheapest possible route across tier 3 providers, instead taking the most efficient route to the destination. Combined with our WAN optimization capabilities, Cato ensures reliable, predictable performance for all users and locations.
Figure 2: Cato Network Rules (click to enlarge)
The easiest way to see if a SASE vendor has a converged private backbone is to look at their management console. Your vendor should enable you to make granular Internet & WAN rules to manage the handling and routing of your traffic. In addition to priority level, you should be able to control egress PoP location, even egressing your traffic from dedicated private IP addresses, and enabling things like TCP optimization and packet loss mitigation.
Figure 3: Network Rule Criteria (click to enlarge)
Figure 4: Network Rule Actions (click to enlarge)
Having the ability to configure these policies directly in the management interface demonstrates that the backbone is a converged component of the solution. You should not have to open tickets and wait for routing policies to be created on your behalf, instead you should have direct control with the ability to deploy or modify policies in real-time.
Controlling egress location allows you to maximize your utilization of Cato’s global private backbone, egressing your traffic as close to the destination as possible. The ability to use dedicated private IP addresses mean that you can use source-IP anchoring policies for SaaS application security, without having to backhaul your traffic anywhere.
The ability to create and manage your WAN and Internet traffic with policies is key, but also essential is understanding how these policies are impacting your traffic and real-time visibility into performance. Cato allows you real-time views into performance, priority level and application usage. These insights are invaluable in ensuring your policies are meeting your organization’s needs or evaluating potential changes that may be required.
Figure 5: Traffic Priority Analyzer (click to enlarge)
The Proof is in the Packets – Testing a Converged SASE Solution
To demonstrate the real-world implications of a converged SASE solution with a global private backbone, we ran PingPlotter to a server in China over a 48-hour period using both the public Internet and Cato’s backbone. Connectivity into China is usually complex due to regulation and the great firewall, but Cato’ PoP network can easily enable organizations access into and out of China (Cato has 3 PoPs in China and a government approved link to Hong Kong).
As you can see below, the results speak for themselves. When utilizing Cato’s backbone, we had only 20ms of Jitter, down from 260ms on the public Internet. We also had much less packet loss with our connection being far more reliable and consistent. You can just imagine the difference in user experience when using file sharing, VOIP or collaboration tools:
Figure 6: PingPlotter Tests (click to enlarge)
The promise of SASE is to bring security and connectivity to all edges with less cost and complexity. To do this effectively, a SASE vendor must have a global private backbone. At Cato, we built our SASE cloud from the ground up, fully converging networking and security into a single platform delivered from 70+ global PoPs that are connected by a private backbone composed of multiple Tier 1 providers. Cato allows you to quickly connect and secure users and locations at global scale with ease, don’t take our word for it request a demo here.
More information on SD-WAN and SASE can be found in our dedicated SASE and SD-WAN section.